New variant of KillDisk wiper threatens industrial control networks with ransomware

The TeleBots gang, which recently attacked Ukrainian banks with KillDisk malware that used Mr. Robot imagery (pictured), may now be targeting industrial control systems with a ransomware variant.

The KillDisk disk-wiper program that was used in conjunction with BlackEnergy malware to attack Ukrainian energy utilities has evolved into ransomware that may be targeting industrial-control networks.

According to researchers at CyberX, the new variant was developed by the TeleBots cybergang, which recently emerged from the Sandworm threat group that is believed to have disrupted the Ukrainian power grid offline in December 2015 and January 2016, and allegedly compromised U.S. industrial-control systems and SCADA systems in 2014. Earlier this year, ESET researchers reported that TeleBots was a using different version of KillDisk to conduct cybersabotage attacks against the Ukrainian financial sector.

In a blog post on Tuesday, CyberX reported that the ransomware variant is distributed via malicious Office attachments and displays a pop-up message demanding 222 Bitcoins, which is currently the equivalent of approximately $206,000. The variant's exorbitant ransom and its link to Sandworm suggests that the group could be actively launching ransomware attacks against industrial-control networks.

KillDisk uses a mix of RSA 1028 public key and AES shared key algorithms to encrypt local hard-drives and network-mapped folders that are shared across organizations, CyberX further reported.

Techscape is SC Media’s content marketing platform. Industry experts share their views in the following categories

Partner Content is sponsored content brought to you by a vendor

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.